Tallinn cyber-warfare manual 2.0 refines definition of cyber-warfare

The Tallinn Manual's sequel has been released and builds on its predecessor's work by greatly expanding its gaze to peacetime cyber operations

2.0 builds on the work of its predecessor

The Tallinn Manual 2.0 is here to not only underline the presence of international law in the shadowy world of cyberspace, but to refine the meaning of cyber warfare.

The second iteration of the landmark document was launched in Washington on 8 February by the Netherlands Government, the Asser Institute and principally the Cooperative Cyber Defence Centre of Excellence.

The document itself updates the legal advice of the original manual, the world's first attempt to define the legal framework of cyber-warfare.

The original manual brought together 20 of the world's top international law experts to determine what the legal implications of an act of cyber warfare were. The legal scholars created an academic, non-binding study on how international law applies to cyber conflicts and cyber-warfare, and is widely referenced by lawyers globally.

Version 2.0 builds on that to discuss “cyber operations”, acts which fall below the threshold of acts of war, yet trouble the cyberspace of nation states on a far more regular basis.

While version 1.0 dealt with clearer acts of war, like the 2007 cyber-attacks on Estonia for which the manual was named, 2.0 deals with operations like The Sony breach of 2012 and the more recent breach of the Democratic National Committee.

Michael Schmitt, director of the Tallinn Manual Process and chairman of the International Law department at the United States Naval War College, began by addressing a fundamental assumption of the Tallinn manual. Simply, that even in an area as nebulous as cyberspace, international law does apply.

In the creation of 2.0, legal experts from around the world were drawn together to consult on how that international law might be applied.

Rutger Van Marissing, a senior policy officer at the Netherlands Ministry of Foreign Affairs, was involved in the 2.0 process. The current status of cyber-warfare risks escalation, said Van Marissing, adding that the Dutch government is “concerned that it's beginning to display tendencies of a classic security dilemma” in which “everybody's developing their capabilities because they're afraid of the opposing side”.

Such disorder requires international norms and a basic legal framework, which the Tallinn Manual, at least in part, attempts to do. But Marissing cautioned, “That only works when everyone is on the same page.”

The 642-page manual doesn't provide entirely concrete answers, though. Judging the kinds of cyber-espionage that the National Security Agency (NSA) and Britain's GCHQ are meant to have conducted on their own citizens, as well as foreign states, proved difficult to 2.0's authors who “were incapable of achieving consensus as to whether remote cyber-espionage reaching a particular threshold of severity that violates international law.”

Consulting with a litany of international governments and legal experts predictably threw up conflicts. Schmitt added that while some issues couldn't be concretely judged, “what we did was capture all reasonable views and put them in the manual”.

Schmitt later added in a blogpost that those differences should be taken into account for statesmen and lawmakers using the manual to make decisions: “Such clarification will help deter other states from exploiting these grey zones in the law of cyberspace.” States like Russia, Schmitt claims, have lurked in these grey areas in their cyber operations in Ukraine and in the recent case of the hacks on the Democratic National Committee (DNC).

Schmitt had earlier argued to the Washington Post that the hack on the DNC skirted around international law in those very grey areas. He told the paper that the act was “not an initiation of armed conflict. It's not a violation of the U.N. Charter's prohibition on the use of force. It's not a situation that would allow the U.S. to respond in self-defense militarily.”

Editor's Note: This article originally called Michael Schmitt by the wrong name - it has been updated.

SC Media UK arms cyber-security professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.